CONTRIBUTE TO OUR LEGAL DEFENSE

If you accept cookies from this site, you will only be shown this dialog once!You can press escape or click on the X to close this box.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

userinit.exe problem

Hi,
This is probably the worst virus (or whatever it is) I have ever had. I have some ideas on how to fix it, but I want to ask before I do anything, as they are only gueses!
It probably started after I got a file from a site that looked suspicious (Yeah, I know....I was just ignorantly optimistic that day. I'll slap myself later )
Anyway, here is the problem....XP almost starts fine, but then a message pops up:
"userinit.exe- Application error"
"The application failed to initialize properly (0xc0000005) Click on OK to terminate the application"
Then the desktop comes up without the taskbar or any icons. I hit ctrl+alt+del and it says that the administrater has disabled the feature. The windows key +e combo doesn't do anything.
I was wondering if when I push delete when the computer starts up, and it goes into that setup/ maintanence screen, if I can do anything there...I don't want to mess with it yet, though.
I have one of those keyboards that let you shut down by pushing a few keys. If I put it into sleep, then wake it up... the dialogue box comes up that says it was locked, and only an administrater or that computer can unlock it. There, it asks for the password. Obviously, I didn't set one up, but what if I set the user password in that screen I was talking about earlier? Would that work?
Also, I have a home network set up, and wonder if I can acess my 'broken' one from the other. (And would it be safe to do?)
I appreciate any help/suggestions someone can give me.
Thanks,
emu5088

Ok, I fixed it....
Part of the problem was that I could do absolutly nothing to get to a file browser. (or so I thought) That includes the internet or registry editor. Well... long story, but I was able to access it. Luckally, I created a restore point before I got the file. I restored it. It works fine now. I'm going to make sure there arn't any traces of the virus now, as well as backing up many things!
Is it ok to use more than one virus scan? Just currious because I heard that using more than one firewall can cancel each other. I have eTrust's virus scan and firewall from Road Runner... are they very good, or are there better ones out there (For free )?
Thanks for the help. I'll check back often to see what's new.
-emu5088

You can have more than one AV application on your hard drive; however, only one should be active at any one time. Be aware, also, that sometimes one will detect viruses you have quarantined with the other AV program!
Another solution is to keep one AV resident, and use one of the several on-line scans from time to time to double-check.
Some other tips are to never log on as adminiistrator when surfing the web, and review your browers settings to assure they are at the security optimum.
Regards,
John

hi, i am having the same problem. i can not get to any programs the screens comes up blank with no programs or menu options, so i can not get on the internet to do a virus search or anything. Please help me i need my computer back! and what exactly is causing this?

Thanks ITshop360! I hadn't noticed that taskmanager has a menu at the top!

I spent some fitful hours eradicating this nasty virus - also the worst that I have seen. Avast didn't seem to catch it, sadly. It likely came from a questionable download of all2mp3.exe using utorrent. (I've seen other references to this issue with this download too - after I contracted the virus of course).

It has the effect of interfering with internet usage, so it gets very difficult to find a fix using that particular computer. It also incessantly pops up full-screen web sites, often for ads to do with your google search, or just porn when its bored. I ran various registry cleaners and virus scanners, and nothing caught it. I did a system restore, and it worked once, but on the mext reboot the problem re-surfaced! Ouch!!

So here's what it does and HOW TO GET RID OF IT:

It adds a RUNDLL32.exe startup command to load a (8 gibberish lettered name).dll such as jkknSycS.dll. I am guessing, but it doesn't appear as a process in task manager, so it must hook itself to other tasks to cause its interference, and to get a hook into the internet. By this means, it can also mess up inituser.exe as well as any program that wants to use rundll32.exe (such as a firewall - note that it turns off your firewall, so it may also open back doors into your PC - I recommend that once you finish reading this message, that you print the instructions below, and then physically DISCONNECT YOUR PC FROM THE INTERNET UNTIL YOU ERADICATE THE VIRUS!

It also makes another randomly-named copy of itself and re-installs a startup command to run the new copy on the next bootup. This has the curious effect of working after EVERY delete of the offending startup line using HiJackThis.exe (By the way, it appears as a -O4 type command 'RUNDLL32 'gibberish'.dll). So every time that you delete the line and then re-scan with hijackthis, and it just re-appears with a fresh name!

To remove it:

1. Before you start, check 2 places - Use Startup|Run to run MSCONFIG.EXE - in the startup tab, you ought to see the 'RUNDLL32 (8 gibberish lettered name).dll in the list. Make a note of the .dll name. Close MSCONFIG. Then open Windows Explorer and take a look in C:\Windows\System32. Sort by date modified, newest at the top. You will see a couple of 'StBcWXYZ-like'.ini and ini2 files - about 500KB in size, with a somewhat random-looking name with the datestamp of the moment when you got infected. Also, you will see several (8 gibberish lettered name).dll files with lengths between 60KB and 250KB. They will also have a similar creation date - note that some will be newer (these are the copies that I mentioned above). Erase all that you can - note that some of the .DLLs will refuse to be erased (since they are in use or otherwise protected).

2. Now, WRITE DOWN THE EXACT NAMES OF ALL OF THESE FILES!. Note that there are a few recent files made by Windows - they are wpa.dbl, fntcache and config.nt - Oh, BTW, I'm using Windows XP SP2.

3. Restart your computer using a floppy or CD that boots you into DOS!!!!! If you don't have one, use Windows Explorer (or some other computer) to make a bootable floppy or CD.

4. In DOS, navigate to C:\windows\system32 and erase the offending files. If you don't know how, use DIR /? and ERASE /? for help. I think one of them is marked as a system/read-only file, so you may have to use the DIR /A options to get at it.

5. Once you're sure that they have ALL been deleted, restart your PC from C:

6. It should startup ok, give you a taskbar, and complain that it couldn't run the .DLL that held the virus.

7. NOW - reopen MSCONFIG.EXE and uncheck the line that tries to load the (now-missing) virus file.

8. Re-boot and go have a drink of success!!

AND PROMISE TO BE MORE CAREFUL NEXT TIME!

I'm documenting this before I forget, and who knows, I may be looking for this solution some years from now myself :-( !

I had the same "userinit.exe failed to initialize" problem, but I was able to resolve this problem largely using the method posted by KaZoom. Thanks a lot, KaZoom.
Although I have Norton Internet Security (NIS) 2008 installed and constantly updated, I somehow got the virus a few days ago. At the beginning, I noticed that I couldn't load my excite.com personal page using Firefox 3, but other web pages seemed to load without any problem.
The night before yesterday, NIS 2008 informed me that it had removed the viruses Vundo and Trojan.Horse (?), and that the system need to be restarted to complete the removal process. After restarting, I got the "userinit.exe failed to initialize" notification twice, and then a blank screen. I could start the Task Manager by pressing "Ctrl + Alt + Del", but not much else.
After reading KaZoom's Post (#9) above, I start the computer using a backup hard drive I made using BounceBack Professional a while ago (I have two hard drives in the same computer, but the backup is not usually connected), and I compared the two folders: C:Windows\System32 and the infected hard drive's \Windows\System32. Then I deleted the suspicious .ini and .dll files mentioned in KaZoom's post. I also found a couple of .ini and .dll files with names less than 8 characters long, and those files were not found on my healthy system and were created recently (probably after I got the virus). And I deleted those files too. Then I disconnected my healthy hard drive, and boot from the once-infected drive, and followed Steps 6 to 8 in KaZoom's post.
For those that don't have a backup system drive and are not familiar with DOS, I suggest that you can use a USB hard drive enclosure to enclose the infected hard drive and connect it to a healthy system. Then you can use Explorer to delete the virus files.

Sounds like its vundo. You better run vundofix, I had the same problem on a friends computer and vundofix found several files. In addition I found a fake internet link put on the desktop by the virus on hers (And mine later!). Typically it looks like the IE or Firefox icon and says "Internet" but it's not the link!

To delete the entries on the Startup list (in the System Configuration Utility window, Startup tab. Run msconfig to access.) created by the virus, run regedit.exe, then do a search in the HKEY_LOCAL_MACHINE folder using the "Startup Item" name as a keyword. It will likely point you to the following directory:
HKEY_LOCAL_MACHINE\SOFTWARE\Shared Tools\MSConfig\Startupreg

Click on the sub-folder, you will see the "Startup Item" name. You can delete that sub-folder without any ill-effect, and the entry on the Startup list will be gone.

I just used your instructions to get rid of this virus. Works great. However, I'm not sure if I missed 3 files, or what. I went though, unchecked the item ni the startup, and the next re-boot I had 3 more files and another entry in MSCONFIG startup.......

Also, safe mode still does not come up......but normal mode is fine, extept for these 3 files.......